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A number of flexible tactic-based logical frameworks are nowadays available that can implement a 
wide range of mathematical theories using a common higher-order metalanguage. Used as proof 
assistants, one of the advantages of such powerful systems resides in their responsiveness to exten- 
sibihty of their reasoning capabilities, being designed over rule-based programming languages that 
allow the user to build her own 'programs to construct proofs' — the so-called proof tactics. 

The present contribution discusses the implementation of an algorithm that generates sound and 
complete tableau systems for a very inclusive class of sufficiently expressive finite-valued proposi- 
tional logics, and then illustrates some of the challenges and difficulties related to the algorithmic 
formation of automated theorem proving tactics for such logics. The procedure on whose implemen- 
tation we will report is based on a generalized notion of analyticity of proof systems that is intended 
to guarantee termination of the corresponding automated tactics on what concerns theoremhood in 
our targeted logics. 
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1 Introduction 

The early history of the LCF family of theorem pro vers, first implemented as proof checkers by Robin 
Milner in the early 70s, based on Dana Scott's Logic for Computable Functions, can be said to be 
essentially an evolution of Alonzo Church's original proposal of a simple theory of types, developed 
three decades before (cf. [T]). Arguably, though, their great success as generic logical frameworks for 
the specification of a wide range of useful mathematical theories within a unified setting came in fact from 
later developments, namely: (1) the design of an accompanying powerful type-safe functional language 
that would allow for the needs of the theorem-proving community to be quite naturally expressed; (2) the 
decision to use a constructive higher-order logic as the underlying metalanguage and to use higher-order 
unification as the underlying mechanism in which to specify diverse genera of inference systems as 
theories written in a common framework. The programming language that was designed in that process, 
ML, was intended to give support to the expression of higher-order abstract syntax for the definition and 
manipulation of object-logics, as well as to advanced pattern-matching capabilities for the definition 
and manipulation of abstract high-level datatypes. From the point of view of theorem-proving, such 
flexible datatypes were to allow for the representation of useful objects such as formulas, theorems or 
even proofs, as well as some strategical operations over those objects, called tactics, that represented 
subgoaling strategies used in the construction of proofs. Higher-order operations for combining tactics 
and taking stricter control of the result of proof-search procedures were also to be made available as 
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the so-called tacticals. A modem heir of the LCF-style family of proof assistants and tactical provers, 
allowing for both interactive and automated reasoning, is the system Isabelle (cf. (61), which will be 
utilized in what follows. 

A simple and elegant deductive formalism for the specification of proof procedures for both classical 
and non-classical logics is provided by the refutation-oriented method of tableaux (cf. El). In the classi- 
cal bivalent propositional case, the inference rules of (signed or unsigned) tableau systems are based on 
adequate versions of a subformula principle that guarantees that the overall complexity of the involved 
formulas decreases as tableau rules are applied in the construction of a tableau derivation. The resulting 
collection of rules, in that case, is said to be analytic, and decidability, in general, follows from that. 
Indeed, analytical proof procedures eliminate in particular the use of the so-called 'cut rule' (which often 
presupposes some ingenuity from the proof designer) and are very useful for automation as they greatly 
facilitate the finding of proofs. On the other hand, exactly because they eliminate cut, such procedures 
render the expression of proof lemmas more difficult, if not outright impossible. However, this limitation 
can often be negotiated with an additional gain in the speed-up of the corresponding derivations if one 
considers systems allowing for the so-called 'analytic cuts' (cf. [4|). In one way or another, the objective 
is to define a rule-based framework for propositional logics in which the termination, with more or less 
efficiency, of a given theorem-proving task is guaranteed at the outset. 

In [1] an algorithm was devised to extract bivalent (in general, non-truth-functional) characterizations 
for an extensive class of finite-valued propositional logics and then turn those characterizations into 
classic-like adequate tableau systems for those logics. By a 'bivalent' characterization of a logic, here 
and in that paper, we mean a collection of interpretation mappings that takes only two 'logical' values into 
consideration, in spite of the many 'algebraic' values that might be used by the logic's original multi- 
valued truth-functional semantics — the role of the extraction algorithm is to guarantee that both the 
bivalent and the finite- valued characterization end up determining the same entailment relation. We have 
used ML to implement the mentioned algorithm in and the output of our program is an Isabelle 
theory which can be used for computer-assisted proofs of theorems and derived rules of the corresponding 
finite-valued logics. Such proof systems, automatically extracted from the sets of truth-tables taken as 
input by our program, contained a non-eliminable version of the cut rule, and in fact no detailed proof 
was presented then that analytic cuts, for instance, would suffice for every proof system generated by the 
above mentioned algorithm. An improved axiom extraction algorithm has recently been proposed in IH, 
though, for the same class of logics, in which cut is eliminable. The latter algorithm has some remarkable 
features, being based on non-standard complexity measures that are intended to guarantee the analyticity 
of its output, once one uses such measures to formulate convenient proof strategies. The paper IS 
shows in detail how that same axiom extraction mechanism can be extended for any finite-valued logic, 
irrespective of the expressiveness of its original language. The present paper employs an illustration of 
this procedure to briefly report on the challenges and difficulties related to the implementation of the 
mentioned novel algorithms, having again as output Isabelle theories, but this time enhanced with the 
automatic formation of cut-free proof tactics for the complete automation of the corresponding theorem- 
proving tasks. 

2 Tableaux 

A tableau system is both a proof and a counter-model building procedure based on the construction 
of refutation trees. A tableau rule is a schematic tree modifier, and its application allows us, given a 
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branch in which we find instances of the rule's heads, to extend the leaf of this branch by considering all 
the possibilities provided by the corresponding instances of the rules's daughters. For an example, the 
classical tableau rules for negation and implication can be represented as: 

F:{-na) T:{-na) F:{a^^) T:{a^^) (1) 

T:a F:a T:a F:a T-.p 

This means, for instance, that a branch containing a signed formula of the form F:{a — > j8) may be 
extended by adding in sequence new nodes of the form T:a and F:j3. Similarly, a branch containing 
a signed formula of the form T:{a — > /3) may be extended in two different ways, both by adding a 
new node of the form F:a and by adding a new node of the form r:/3. The semantic reading of such 
rules is obvious. The following closure rule, syntactically expressing an unobtainable semantic situation, 
completes the characterization of classical logic: 

T:a (2) 
F:a 



The rule is intended to say that a branch that contains an occurrence of the formula a labelled with the 

sign T and an occurrence of the same formula labelled with the sign F may be said to be closed. A whole 
tree is said to be closed if all of its branches are closed. Now, in case we want to verify the inference of 
a formula a from a set of premises /i, 72, . . . , /„, using such 2-signed tableau rules for classical logic, 
what we do is to try and find a closed tableau tree starting from the linear sequence of labelled nodes 
T:ruT:Y2,...,T:y„,F:a. 

The above tableau system for classical logic respects an obvious subformula principle according to 
which each of the daughters of a non-closure rule are proper subformulas of some of the rule heads, 
disregarding the corresponding labels. It is easy to see that the following canonical complexity measure 
decreases with rule appUcation: 

(£1) ^{p)= 0, where p is an atom 

{12) £(-<pi) = ^((pi) + l (3) 

Obviously, the closure rule is the only rule applicable to nodes with complexity zero. We say that a proof 
system is analytical if it only allows you to apply a rule when its daughters have smaller complexity than 
at least one of the corresponding heads. In other words, an analytical proof system is one to which a con- 
venient proof strategy has been conveniently associated in such a way that complexity always decreases 
with rule application. This is obviously the case, without restriction, for the above collection of rules for 
classical logic, applied in any particular order. 

Analyticity guarantees termination of a proof procedure, as soon as the application of rules has a 
completely deterministic result, and becomes otherwise redundant. We say that a tableau tree is ter- 
minated when: (Tl) all of its branches are closed; (T2) there are open branches and no further rule is 
applicable without introducing redundancies. In case (Tl) we may say the the initial inference has been 
successfully verified; in case (T2), the open branches allow us to extract all the counter-models to the 
initial inference. 
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3 Many- Valued Logics 

Many-valued logics deviate from classical logic in allowing larger classes of truth-values, the so-called 
designated and undesignated values, to represent, respectively, 'degrees of truth' and 'degrees of falsity'. 
The rest remains pretty much the same, from the semantical point of view, so that for each assignment 
of truth-values to the atoms of a given ni-ary formula <p there is a unique way of extending that into an 
interpretation (p of that formula as an ni-ary operator over the extended algebra of truth-values. 

An algorithm for obtaining analytic 2-signed tableau systems for finite-valued logics was described 
in m, and we will illustrate it in what follows, for the instructive case of Lukasiewicz's four-valued 
logic L4. This logic has 1 as its only designated value and |, | and as its undesignated values. Its con- 
nectives -1 and — > are interpreted as operators over = {1, |, ^,0} by way of the following definitions 
and their corresponding truth-tables: 



(L4-1) -iv = 1 — V 

(L4^) vi^V2 = Min(l,l -vi +V2) 



(4) 



Now, to produce a classic-like 2-signed tableau system for L4 the idea is to associate, in terms of the 
signs T and F, to each truth- value of this logic a unique binary print that distinguishes this truth- value 
from any other truth-value. Given a collection of truth-values Y, its characteristic function t : Y ^ 
{T,F} is a mapping that associates T to designated values and F to undesignated values. Binary prints 
are sequences of unary formulas, called separating formulas, that use the latter characteristic functions 
to distinguish in between truth-values. In the case of L4, the following choice of separating formulas can 
be seen to do the job: Bi{(p) = ^(p and 02(<P) = ~'~'(<P ^ "'<?')■ Consider indeed the table: 
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(5) 



Notice how each truth- value v is associated to a unique triple (f(v),?(0i (v)),?(02(v)) 



All rules of the corresponding tableau system will have labelled binary prints as branches. For 
example, the rules corresponding to (L4-1) are: 




F:a 
F-.Oiia) 
T-Ma) 



F:a 
F:ei{a) 
F-Ma) 



T:a 
F-Ma) 
F:B2{a) 



F:a 

T-Ma) 
T-Ma) 



(6) 



An additional set of rules, with heads of the form S:di{(p) and S:d2{(p), with (p = -^a and (p = a ^ 
and 5 G {r,F}, is needed to guai^antee soundness and completeness of the 2-signed tableau system with 
respect to the initial finite- valued truth-tabular characterization of the current target logic, L4. Here are. 
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by way of an illustration, the rules for T:d2{(X — jS) and T:di {^cc) 

r:02(a^/3) 




F:a 


T:a 


T:a 


F:ei{a) 


F:ei{a) 


F:0i(a) 




F-Ma) 


F-Ma) 


F-.p 


F:P 


F-.p 






F-MP) 









T:a 
F-Ma) 
F-Ma) 



(7) 



Finally, the set of closure rules contains not only the classical rule ([2]), but also all other combinations 
of labelled binary prints that do not correspond to possible valuations, according to the truth-tables of L4. 
In the case of this logic, the extra closure rules will then be: 



F.a 

T-Moc) 
F:92ia) 



T-.a 

F-Moc) 
T-Moc) 



T:a 

T-Moc) 
F-Moc) 

I 



T:a 
T-Ma) 

T-M<^) 

I 



(8) 



A closer look at the above four closure rules will reveal, for instance, that the second and fourth rules, 
from left to right, only differ in signs for di{a). Clearly, however, T:d\{a) and F:d\{a) are the only 
two possible ways of labelling the formula d\ (a). Accordingly, those two rules should give origin to a 
simpler rule: 

T-.a (9) 

T-Ma) 



A similar approach can in fact be used to simplify other rules of the system, reducing the number of 
resulting branches and formulas (cf. [5|). Using that idea, for instance, the three branches of the rules 
[F:-i] and [T:d2 — )■], in the left halves of Q and (jT]), could be simplified into just two branches, each with 
one node less. 

Analyticity for the above system is ensured by enforcing a particular proof strategy that regulates rule 
applications based on an adequate non-canonical measure of complexity. To implement that strategy, a 
convenient first step would be to precede definition ([S]) by a further clause: 



(£0) £{d{(p)) =£{(p),for every separating formula 6 



(10) 



Observe how now different clauses of the upgraded definition of complexity may potentially apply to 
the same formula <p, if we look at it as a -formula or not. Notice moreover that the new complexity 
measure is still well-defined as a function, once it is read from (£0) to (£3), in this order. On the other 
hand, even if we identify a given formula as a -formula, there might be, for instance, formulas <pi 
and (f>2 and separating formulas di and 62 such that 6i{(pi) = (p = d2{(f>2)- In that case, the rule to be 
applied should be the one that decreases the complexity the most, and this 'minimality requirement' 
should also be conveniently internalized in the above definition of the complexity measure (check the 
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details in 121). For example, the signed formula r:-i-i((a — j3) ^ -■(« — > jS)) might equally well be 
read as an instance of T:d\{-'{{a — > j3) — )• -■(« — > j3))) or as an instance of T:d2{cc — )• p). The three 
choices of reading would result in three different extensions of a tableau branch having the initial signed 
formula as one of its nodes. The first two choices are, according to the right halves of Q and ([7]): 

Rule [r:-i] is applied: Rule [T:di^] is apphed: 

r:--((a ^P)^ -(a ^ /3)) r:0i(-((a ^ P) ^ -(a ^ /3))) 

I I 
F:^{{a ^ j8) ^ ^(a ^ jS)) T:{{a ^ p) ^ -(a ^ j8)) 

r:0i(-((a ^ i3) ^ -(a ^ j8))) F:di{{{a ^ p) ^ -(a ^ j8))) 

r:02(-((« ^ i3) ^ -(a ^ j8))) F:02(((« ^ i8) ^ -(a ^ jS))) 

The third choice corresponds exactly to the rule pictured at the left half of Clearly, it is in this 
last and more 'concrete' choice that the rule application results in less complex formulas. Our tableau 
strategy should take that into consideration. To guarantee in fact that the new complexity measure given 
in (O and (flOl ) continues to be well-defined as a complexity ^Mcf/o?i, one also has to guarantee that (ITOl ) 
chooses, for a non-atomic formula <p, the separating formula 6 that results in 'minimally' complex output 
branches, when the corresponding rule is applied. Details of this can be found in lH and IJI. The final 
tableau strategy of choice is then to be strictly based on such upgraded complexity measure, in order to 
guarantee analyticity. 

Just to illustrate the fundamental relevance of such strategy, if one did not strictly follow it in the 
above example, one could have opted for the first choice of reading, that of rule [T:-], and then it could 
be observed that from the sequence of three resulting daughters, the second would be just the head of 
the rule reiterated, and the third would be the more complex formula r:-i-i((-i((a — )■ j8) — )• — )• 
j8))) -i(-i((a — > j8) ^ -i(a P))))- The tableau building procedure, in such a situation, would not 
necessarily be terminating. 



4 Tactics 

Our axiom extraction program takes as input the definition of a many-valued logic and generates a file 
with a theory ready to use with Isabelle. The theory includes the set of all tableau rules for the 
object logic. In addition, taking advantage of the analytical character of the system defined by the new 
algorithm, rewrite rules and tactics for automated theorem proving are constructed. 

In the output file for the logic L4, the rules for F:-ia, T:^a, T:d2{(X — > P) and T:Q\{-^a) exhibited at 
the previous section are represented in Isabelle's syntaji^by: 

FNeg: "[| [ $H, F:AO, F:tl(AO), T:t2(A0), $G ] ; 

[ $H, F:AO, F:tl(AO), F:t2(A0), $G ] ; 

[ $H, T:AO, F:tl(AO), F:t2(A0), $G ] |] 
==> [ $H, F:-(AO), $G ]" 

TNeg: "[| [ $H, F:AO, T:tl(AO), T:t2(A0), $G ] |] 
==> [ $H, T:-(AO), $G ]" 

TtlNeg: "[| [ $H, T:AO, F:tl(AO), F:t2(A0), $G ] |] 
==> [ $H, T:tl(~(AO)) , $G ] " 



^The syntax employed here is that of Isabelle 2005, and the assisted proofs are done in the command hne interface. 
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Tt2Imp: "[| [ $H, F:AO, F:tl(AO), F:t2(A0), F:A1, T:tl(Al), T:t2(Al), $G ] ; 

[ $H, T:AO, F:tl(AO), F:t2(A0), F:A1, T:tl(Al), T:t2(Al), $G ] ; 

[ $H, T:AO, F:tl(AO), F:t2(A0), F:A1, F:tl(Al), T:t2(Al), $G ] |] 

==> [ $H, T:t2(A0 — > Al) , $G ]" 

In the above higher-order sequent-style syntax, the symbol $ marks a context, and the meta-implication 
==> separates the branch representing the current goal at the right from its subgoals at the left. A closure 
rule such as the first one from (H), is represented as an axiom of the form: 

CRl: "[ $C1, F:A, $C2, T:tl(A), $C3, F:t2(A), $C4] " 

We further add to the theory some convenient rewrite rules to allow the system to recognize given 
formulas as instances of separating formulas whenever possible. Only the outermost formulas may be 
instantiated as 0-formulas, as this rewrite is intended to be followed by a rule application, and there are 
no rules for formulas with nested ds. 

tl_def: "S:-AO == S:tl(AO)" 

t2_def: "S : (AO— >~A0) == S:t2(A0)" 

Again, to guarantee termination of proofs we must follow a convenient order of instantiation, starting 
with the rewrite rule that reduce the most the complexity of the formula, namely the one that takes 62 
into consideration. A tactic for ordered instantiation, in the case of L4, may be defined by: 

val auto_rw = (rewrite_goals_tac [t2_def ] ) THEN 
(rewrite_goals_tac [tl_def] ) ; 

where the command rewrite_goals_tac [t2_def ] rewrites all formulas of the subgoal using the def- 
inition of t2_def , and similarly for tl_def . The tactical THEN makes sure that the second line of the 
above tactic will be executed only after the first one, and this strategy will guarantee the correct order 
of instantiation in the case where different 0-rules are applicable, in view of the minimality requirement 
mentioned in the previous section, necessary to guarantee analyticity. Here is an illustration of the use 
of auto_rw: 

1. [F:~~(A— >~A) , T:~~(k—>~B)'\ (* Current state of proof *) 

2. [T:~~((A— >B)— >~(A— >B)) , T:~A, F:~~A] 

ML> by auto_rw; (* Using the tactic *) 

1. [F:t2(A), T:tl(~(A— >~B))] (* New state of proof *) 

2. [T:t2(A— >B), T:tl(A), F:tlCA)] 

We may now use again the native Isabella's tacticals and construct a tactic for fully automatic 
theorem proving, by describing a procedure to exhaustively repeat, for every branch of the proof tree, the 
following steps: 

1. instantiate formulas by rewriting (auto_rw), then 

2. close the branch by applying one of the closure rules or 

3. apply another rule of the system, in some suitable order. 

The first step will ensure that the right choice will be made when multiple rules are applicable to 
a formula. Next, the tactic tries to close the branch as soon as possible, to speed-up the process. If 
closure is not possible at that stage, the next step will try to apply another rule of the system, in the most 
convenient application order (for instance, postponing branching as much as possible), and start again. 
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The procedure terminates, due to the analyticity of the system, and at the end either Isabelle will 
deliver a message that says 'No subgoals ! ', meaning that the proof has been successfully concluded, 
or else there will be a list of subgoals — open branches — which are impossible to close and such that 
all their formulas have complexity zero, so that no further rule is applicable. From those open branches, 
as usual, counter-models can be assembled. 

Extra details will be at hand to be surveyed by the interested reader as the full system is made 
available on-line, in open source. 
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